Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(165)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/ssl3con.c

Issue 7058049: Added client-side support for the TLS cached info extension. This feature is disabled by default ... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * SSL3 Protocol 2 * SSL3 Protocol
3 * 3 *
4 * ***** BEGIN LICENSE BLOCK ***** 4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 * 6 *
7 * The contents of this file are subject to the Mozilla Public License Version 7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with 8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at 9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/ 10 * http://www.mozilla.org/MPL/
(...skipping 8000 matching lines...) Expand 10 before | Expand all | Expand 10 after
8011 goto loser; 8011 goto loser;
8012 } 8012 }
8013 goto cert_block; 8013 goto cert_block;
8014 } 8014 }
8015 8015
8016 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 8016 ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
8017 if ( arena == NULL ) { 8017 if ( arena == NULL ) {
8018 goto loser; /* don't send alerts on memory errors */ 8018 goto loser; /* don't send alerts on memory errors */
8019 } 8019 }
8020 8020
8021 /* First get the peer cert. */ 8021 if (length == 12 && ssl3_ExtensionNegotiated(ss, ssl_cached_info_xtn)) {
wtc 2011/06/17 22:57:09 BUG: you need to check that the received certifica
rkn 2011/06/20 21:21:09 Done.
8022 remaining -= 3; 8022 /* We are dealing with a certificate_chain digest */
8023 if (remaining < 0)
8024 » goto decode_loser;
8025 8023
8026 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); 8024 /* First get the peer cert. */
8027 if (size <= 0) 8025 if (ss->ssl3.predictedCertChain[0] == NULL) {
8028 » goto loser;» /* fatal alert already sent by ConsumeHandshake. */ 8026 desc = handshake_failure;
8029 8027 goto alert_loser;
8030 if (remaining < size) 8028 » }
8031 » goto decode_loser; 8029 ss->sec.peerCert = CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
8032 8030 »
8033 certItem.data = b; 8031 /* Now get all of the CA certs. */
8034 certItem.len = size; 8032 » ssl3CertNode *certNodeCurrent;
wtc 2011/06/17 22:57:09 Declare the variable at the beginning of the block
rkn 2011/06/20 21:21:09 Done (It is ok to put the declaration after the co
8035 b += size; 8033 » ss->ssl3.peerCertChain = certNodeCurrent
8036 length -= size; 8034 » = PORT_ArenaNew(arena, ssl3CertNode);
8037 remaining -= size; 8035 » if (certNodeCurrent == NULL) {
8038
8039 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
8040 PR_FALSE, PR_TRUE);
8041 if (ss->sec.peerCert == NULL) {
8042 » /* We should report an alert if the cert was bad, but not if the
8043 » * problem was just some local problem, like memory error.
8044 » */
8045 » goto ambiguous_err;
8046 }
8047
8048 /* Now get all of the CA certs. */
8049 while (remaining > 0) {
8050 » remaining -= 3;
8051 » if (remaining < 0)
8052 » goto decode_loser;
8053
8054 » size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
8055 » if (size <= 0)
8056 » goto loser;»/* fatal alert already sent by ConsumeHandshake. */
8057
8058 » if (remaining < size)
8059 » goto decode_loser;
8060
8061 » certItem.data = b;
8062 » certItem.len = size;
8063 » b += size;
8064 » length -= size;
8065 » remaining -= size;
8066
8067 » c = PORT_ArenaNew(arena, ssl3CertNode);
8068 » if (c == NULL) {
8069 goto loser; /* don't send alerts on memory errors */ 8036 goto loser; /* don't send alerts on memory errors */
8070 } 8037 }
8071 8038 » certNodeCurrent->cert =
8072 » c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL, 8039 » CERT_DupCertificate(ss->ssl3.predictedCertChain[0]);
wtc 2011/06/17 22:57:09 ss->ssl3.predictedCertChain[0] should not be added
rkn 2011/06/20 21:21:09 Done.
8073 » PR_FALSE, PR_TRUE); 8040 » int i = 1;
8074 » if (c->cert == NULL) { 8041 » while (ss->ssl3.predictedCertChain[i] != NULL) {
8042 » certNodeCurrent->next = PORT_ArenaNew(arena, ssl3CertNode);
8043 » if (certNodeCurrent->next == NULL) {
8044 » goto loser; /* don't send alerts on memory errors */
8045 » }
8046 » certNodeCurrent = certNodeCurrent->next;
8047 » certNodeCurrent->cert =
8048 » CERT_DupCertificate(ss->ssl3.predictedCertChain[i]);
8049 » i++;
8050 » }
8051 » certNodeCurrent->next = NULL;
8052 } else {
8053 /* We are dealing with a regular certificate message */
8054
8055 /* First get the peer cert. */
8056 remaining -= 3;
8057 if (remaining < 0)
8058 » goto decode_loser;
8059
8060 size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
8061 if (size <= 0)
8062 » goto loser;»/* fatal alert already sent by ConsumeHandshake. */
8063
8064 if (remaining < size)
8065 » goto decode_loser;
8066
8067 certItem.data = b;
8068 certItem.len = size;
8069 b += size;
8070 length -= size;
8071 remaining -= size;
8072
8073 ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem,
8074 » » » » » » NULL, PR_FALSE, PR_TRUE);
8075 if (ss->sec.peerCert == NULL) {
8076 » /* We should report an alert if the cert was bad, but not if the
8077 » * problem was just some local problem, like memory error.
8078 » */
8075 goto ambiguous_err; 8079 goto ambiguous_err;
8076 » } 8080 }
8077 8081
8078 » if (c->cert->trust) 8082 /* Now get all of the CA certs. */
8079 » trusted = PR_TRUE; 8083 while (remaining > 0) {
8080 8084 » remaining -= 3;
8081 » c->next = NULL; 8085 » if (remaining < 0)
8082 » if (lastCert) { 8086 » goto decode_loser;
8083 » lastCert->next = c; 8087
8084 » } else { 8088 » size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
8085 » certs = c; 8089 » if (size <= 0)
8086 » } 8090 » goto loser; /* fatal alert already sent by ConsumeHandshake. */
8087 » lastCert = c; 8091
8092 » if (remaining < size)
8093 » goto decode_loser;
8094
8095 » certItem.data = b;
8096 » certItem.len = size;
8097 » b += size;
8098 » length -= size;
8099 » remaining -= size;
8100 »
8101 » c = PORT_ArenaNew(arena, ssl3CertNode);
8102 » if (c == NULL) {
8103 » goto loser;» /* don't send alerts on memory errors */
8104 » }
8105
8106 » c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
8107 » » » » » PR_FALSE, PR_TRUE);
8108 » if (c->cert == NULL) {
8109 » goto ambiguous_err;
8110 » }
8111
8112 » if (c->cert->trust)
8113 » trusted = PR_TRUE;
8114
8115 » c->next = NULL;
8116 » if (lastCert) {
8117 » lastCert->next = c;
8118 » } else {
8119 » certs = c;
8120 » }
8121 » lastCert = c;
8122 }
8123
8124 if (remaining != 0)
8125 goto decode_loser;
8088 } 8126 }
8089 8127
8090 if (remaining != 0)
8091 goto decode_loser;
8092
8093 SECKEY_UpdateCertPQG(ss->sec.peerCert); 8128 SECKEY_UpdateCertPQG(ss->sec.peerCert);
8094 8129
8095 /* 8130 /*
8096 * Ask caller-supplied callback function to validate cert chain. 8131 * Ask caller-supplied callback function to validate cert chain.
8097 */ 8132 */
8098 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, 8133 rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
8099 PR_TRUE, isServer); 8134 PR_TRUE, isServer);
8100 if (rv) { 8135 if (rv) {
8101 errCode = PORT_GetError(); 8136 errCode = PORT_GetError();
8102 if (!ss->handleBadCert) { 8137 if (!ss->handleBadCert) {
(...skipping 1626 matching lines...) Expand 10 before | Expand all | Expand 10 after
9729 ssl_GetXmitBufLock(ss); /**************************************/ 9764 ssl_GetXmitBufLock(ss); /**************************************/
9730 9765
9731 /* start off a new handshake. */ 9766 /* start off a new handshake. */
9732 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss) 9767 rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
9733 : ssl3_SendClientHello(ss); 9768 : ssl3_SendClientHello(ss);
9734 9769
9735 ssl_ReleaseXmitBufLock(ss); /**************************************/ 9770 ssl_ReleaseXmitBufLock(ss); /**************************************/
9736 return rv; 9771 return rv;
9737 } 9772 }
9738 9773
9774 static void
9775 ssl3_CleanupPredictedPeerCertificates(sslSocket *ss) {
9776 unsigned int i;
9777
9778 if (!ss->ssl3.predictedCertChain)
9779 return;
9780
9781 for (i = 0; ss->ssl3.predictedCertChain[i]; i++) {
9782 CERT_DestroyCertificate(ss->ssl3.predictedCertChain[i]);
9783 }
9784
9785 PORT_Free(ss->ssl3.predictedCertChain);
9786 ss->ssl3.predictedCertChain = NULL;
9787 }
9788
9739 /* Called from ssl_DestroySocketContents() in sslsock.c */ 9789 /* Called from ssl_DestroySocketContents() in sslsock.c */
9740 void 9790 void
9741 ssl3_DestroySSL3Info(sslSocket *ss) 9791 ssl3_DestroySSL3Info(sslSocket *ss)
9742 { 9792 {
9743 9793
9744 if (ss->ssl3.clientCertificate != NULL) 9794 if (ss->ssl3.clientCertificate != NULL)
9745 CERT_DestroyCertificate(ss->ssl3.clientCertificate); 9795 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
9746 9796
9747 if (ss->ssl3.clientPrivateKey != NULL) 9797 if (ss->ssl3.clientPrivateKey != NULL)
9748 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); 9798 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
9749 #ifdef NSS_PLATFORM_CLIENT_AUTH 9799 #ifdef NSS_PLATFORM_CLIENT_AUTH
9750 if (ss->ssl3.platformClientKey) 9800 if (ss->ssl3.platformClientKey)
9751 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 9801 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
9752 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 9802 #endif /* NSS_PLATFORM_CLIENT_AUTH */
9753 9803
9754 if (ss->ssl3.peerCertArena != NULL) 9804 if (ss->ssl3.peerCertArena != NULL)
9755 ssl3_CleanupPeerCerts(ss); 9805 ssl3_CleanupPeerCerts(ss);
9756 9806
9757 if (ss->ssl3.clientCertChain != NULL) { 9807 if (ss->ssl3.clientCertChain != NULL) {
9758 CERT_DestroyCertificateList(ss->ssl3.clientCertChain); 9808 CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
9759 ss->ssl3.clientCertChain = NULL; 9809 ss->ssl3.clientCertChain = NULL;
9760 } 9810 }
9761 9811
9812 if (ss->ssl3.predictedCertChain != NULL)
9813 ssl3_CleanupPredictedPeerCertificates(ss);
9814
9762 /* clean up handshake */ 9815 /* clean up handshake */
9763 if (ss->opt.bypassPKCS11) { 9816 if (ss->opt.bypassPKCS11) {
9764 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); 9817 SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
9765 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); 9818 MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
9766 } 9819 }
9767 if (ss->ssl3.hs.md5) { 9820 if (ss->ssl3.hs.md5) {
9768 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); 9821 PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
9769 } 9822 }
9770 if (ss->ssl3.hs.sha) { 9823 if (ss->ssl3.hs.sha) {
9771 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); 9824 PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
(...skipping 20 matching lines...) Expand all
9792 9845
9793 ss->ssl3.initialized = PR_FALSE; 9846 ss->ssl3.initialized = PR_FALSE;
9794 9847
9795 if (ss->ssl3.nextProto.data) { 9848 if (ss->ssl3.nextProto.data) {
9796 PORT_Free(ss->ssl3.nextProto.data); 9849 PORT_Free(ss->ssl3.nextProto.data);
9797 ss->ssl3.nextProto.data = NULL; 9850 ss->ssl3.nextProto.data = NULL;
9798 } 9851 }
9799 } 9852 }
9800 9853
9801 /* End of ssl3con.c */ 9854 /* End of ssl3con.c */
OLDNEW
« net/socket/ssl_client_socket_nss.cc ('K') | « net/third_party/nss/ssl/ssl.h ('k') | net/third_party/nss/ssl/ssl3ext.c » ('j') | net/third_party/nss/ssl/ssl3ext.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698